Modern Protocol Problems with an Old Firewall
Legacy systems are part of any mature technical environment. While I was a combination of both impressed and shocked when recently presented with a SunOS 5.7 box (OS dated 1998!) I had to assist with an issue on, there are some other places where unfortunately legacy technology can’t quite keep up.
Take the Juniper NetScreen-5000 series of firewalls. While they’re still very capable firewalls, the firmware running on them is over a decade old and they’re very much end of life now.
Thankfully, it’s been replaced by something more modern but going through the process did bring some curious issues to light. The first of which was packets being dropped at low-ish throughput levels. The “in overrun” counter was slowly creeping up on all active interfaces. This counter logs packets that were received error free but the software didn’t have the resources to process. It basically means a buffer isn’t draining fast enough.
Usually you can tie this issue to CPU or memory resources running a bit too tight. In this case, we were seeing an idling CPU and very little memory being used. Similar to an issue we (and a few other organisations) have seen with Meru wireless controllers, which effectively capped the throughput on said controllers in a similar way to saturating a link would. Catch was, it happened at under 500Mbps, well below the expected capacity of the hardware.
Anyway, back to the firewalls. Admittedly we never did find a good reason for the failure. Even the session count was well below the expected capacity of the hardware and software. But what we did see was a huge number of UDP flood attacks being logged.
Specifically, these packets were being seen from Google addresses on 443. If you’ve not twigged yet, UDP traffic on 443 to/from Google is completely normal and expected. Especially if your endpoints are running Chrome.
The QUIC protocol is intended to act as an SSL over TCP replacement with a goal of improving performance. Chrome uses it where possible as an alternative to SSL over TCP for web traffic. All those YouTube cat videos come down the pipe as QUIC if you allow it.
And that’s where our firewall gets confused. The software on it (never mind the hardware) was written before the protocol ever existed. Seeing all those UDP packets flying at it causes it to trigger the alarm and fill the log. It also took defensive action and dropped packets (that was logged in another counter).
While it may not have been the root cause of the failures on the box (we suspect resource exhaustion), it did pique my interest.